F5 and Versafe: Because Mobility Matters
#F5 #security #cloud #mobile #context Context means more visibility into devices, networks, and applications even when they're unmanaged. Mobility is a significant driver of technology today. Whether it's mobility of applications between data center and cloud, web and mobile device platform or users from corporate to home to publicly available networks, mobility is a significant factor impacting all aspects of application delivery but in particular, security. Server virtualization, BYOD, SaaS, and remote work all create new security problems for data center managers. No longer can IT build a security wall around its data center; security must be provided throughout the data and application delivery process. This means that the network must play a key role in securing data center operations as it “touches” and “sees” all traffic coming in and out of the data center. -- Lee Doyle, GigaOM "Survey: SDN benefits unclear to enterprise network managers" 8/29/2013 It's a given that corporate data and access to applications need to be protected when delivered to locations outside corporate control. Personal devices, home networks, and cloud storage all introduce the risk of information loss through a variety of attack vectors. But that's not all that poses a risk. Mobility of customers, too, is a source of potential disaster waiting to happen as control over behavior as well as technology is completely lost. Industries based on consumers and using technology to facilitate business transactions are particularly at risk from consumer mobility and, more importantly, from the attackers that target them. If the risk posed by successful attacks - phishing, pharming and social engineering - isn't enough to give the CISO an ulcer, the cost of supporting sometimes technically challenged consumers will. Customer service and support has become in recent years not only a help line for the myriad web and mobile applications offered by an organization, but a security help desk, as well, as consumers confused by e-mail and web attacks make use of such support lines. F5 and Security F5 views security as a holistic strategy that must be able to dig into not just the application and corporate network, but into the device and application, as well as the networks over which users access both mobile and web applications. That's where Versafe comes in with its unique combination of client-side intelligent visibility and subscription-based security service. Versafe's technology employs its client-side visibility and logic with expert-driven security operations to ensure real-time detection of a variety of threat vectors common to web and mobile applications alike. Its coverage of browsers, devices and users is comprehensive. Every platform, every user and every device can be protected from a vast array of threats including those not covered by traditional solutions such as session hijacking. Versafe approaches web fraud by monitoring the integrity of the session data that the application expects to see between itself and the browser. This method isn’t vulnerable to ‘zero-day’ threats: malware variants, new proxy/masking techniques, or fraudulent activity originating from devices, locations or users who haven’t yet accumulated digital fraud fingerprints. Continuous Delivery Meets Continuous Security Versafe's solution can accomplish such comprehensive coverage because it's clientless,relying on injection into web content in real time. That's where F5 comes in. Using F5 iRules, the appropriate Versafe code can be injected dynamically into web pages to scan and detect potential application threats including script injection, trojans, and pharming attacks. Injection in real-time through F5 iRules eliminates reliance on scanning and updating heterogeneous endpoints and, of course, relying on consumers to install and maintain such agents. This allows the delivery process to scale seamlessly along with users and devices and reasserts control over processes and devices not under IT control, essentially securing unsecured devices and lines of communication. Injection-based delivery also means no impact on application developers or applications, which means it won't reduce application development and deployment velocity. It also enables real-time and up-to-the-minute detection and protection against threats because the injected Versafe code is always communicating with the latest, up-to-date security information maintained by Versafe at its cloud-based, Security Operations Center. User protection is always on, no matter where the user might be or on what device and doesn't require updating or action on the part of the user. The clientless aspect of Versafe means it has no impact on user experience. Versafe further takes advantage of modern browser technology to execute with no performance impact on the user experience, That's a big deal, because a variety of studies on real behavior indicates performance hits of even a second on load times can impact revenue and user satisfaction with web applications. Both the web and mobile offerings from Versafe further ensure transaction integrity by assessing a variety of device-specific and behavioral variables such as device ID, mouse and click patterns, sequencing of and timing between actions and continuous monitoring of JavaScript functions. These kinds of checks are sort of an automated Turing test; a system able to determine whether an end-user is really a human being - or a bot bent on carrying out a malicious activity. But it's not just about the mobility of customers, it's also about the mobility - and versatility - of modern attackers. To counter a variety of brand, web and domain abuse, Versafe's cloud-based 24x7x365 Security Operations Center and Malware Analysis Team proactively monitors for organization-specific fraud and attack scheming across all major social and business networks to enable rapid detection and real-time alerting of suspected fraud. EXPANDING the F5 ECOSYSTEM The acquisition of Versafe and its innovative security technologies expands the F5 ecosystem by exploiting the programmable nature of its platform. Versafe technology supports and enhances F5's commitment to delivering context-aware application services by further extending our visibility into the user and device domain. Its cloud-based, subscription service complements F5's IP Intelligence Service, which provides a variety of similar service-based data that augments F5 customers' ability to make context-aware decisions based on security and location data. Coupled with existing application security services such as web application and application delivery firewalls, Versafe adds to the existing circle of F5 application security services comprising user, network, device and application while adding brand and reputation protection to its already robust security service catalog. We're excited to welcome Versafe into the F5 family and with the opportunity to expand our portfolio of delivery services. More information on Versafe: Versafe Versafe | Anti-Fraud Solution (Anti Phishing, Anti Trojan, Anti Pharming) Versafe Identifies Significant Joomla CMS Vulnerability & Corresponding Spike in Phishing, Malware Attacks Joomla Exploit Enabling Malware, Phishing Attacks to be Hosted from Genuine Sites 'Eurograbber' online banking scam netted $47 millionCloudFucius Wonders: Can Cloud, Confidentiality and The Constitution Coexist?
This question has been puzzling a few folks of late, not just CloudFucius. The Judicial/legal side of the internet seems to have gotten some attention lately even though courts have been trying to make sense and catch up with technology for some time, probably since the Electronic Communications Privacy Act of 1986. There are many issues involved here but a couple stand out for CloudFucius. First, there is the ‘Privacy vs. Convenience’ dilemma. Many love and often need the GPS Navigators whether it be a permanent unit in the vehicle or right from our handheld device to get where we need to go. These services are most beneficial when searching for a destination but it is also a ‘tracking bug’ in that, it records every movement we make. This has certainly been beneficial in many industries like trucking, delivery, automotive, retail and many others, even with some legal issues. It has helped locate people during emergencies and disasters. It has also helped in geo-tagging photographs. But, we do give up a lot of privacy, secrecy and confidentiality when using many of the technologies designed to make our lives ‘easier.’ Americans have a rather tortured relationship with privacy. They often say one thing ("Privacy is important to me") but do another ("Sure, thanks for the coupon, here's my Social Security Number") noted Lee Rainie, head of the Pew Internet and American Life Project. From: The Constitutional issues of cloud computing You might not want anyone knowing where you are going but by simply using a navigation system to get to your undisclosed location, someone can track you down. Often, you don’t even need to be in navigation mode to be tracked – just having GPS enabled can leave breadcrumbs. Don’t forget, even the most miniscule trips to the gas station can still contain valuable data….to someone. How do you know if your milk runs to the 7-Eleven aren’t being gathered and analyzed? At the same, where is that data stored, who has access and how is it being used? I use GPS when I need it and I’m not suggesting dumping it, just wondering. Found a story where Mobile Coupons are being offered to your phone. Depending on your GPS location, they can send you a coupon for a nearby merchant along with this one about Location-Based strategies. Second, is the Fourth Amendment in the digital age. In the United States, the 4th Amendment protects against unreasonable searches and seizures. Law enforcement needs to convince a judge that a serious crime has/is occurring to obtain a warrant prior to taking evidence from a physical location, like your home. It focuses on physical possessions and space. For instance, if you are committing crimes, you can place your devious plans in a safe hidden in your bedroom and law enforcement needs to present a search warrant before searching your home for such documents. But what happens if you decide to store your ‘Get rich quick scheme’ planning document in the cloud? Are you still protected? Can you expect certain procedures to be followed before that document is accessed? The Computer Crime & Intellectual Property Section of the US Dept of Justice site states: To determine whether an individual has a reasonable expectation of privacy in information stored in a computer, it helps to treat the computer like a closed container such as a briefcase or file cabinet. The Fourth Amendment generally prohibits law enforcement from accessing and viewing information stored in a computer if it would be prohibited from opening a closed container and examining its contents in the same situation….Although courts have generally agreed that electronic storage devices can be analogized to closed containers, they have reached differing conclusions about whether a computer or other storage device should be classified as a single closed container or whether each individual file stored within a computer or storage device should be treated as a separate closed container. But, you might lose that Fourth Amendment right when you give control to a third party, such as a cloud provider. Imagine you wrote a play about terrorism and used a cloud service to store your document. Maybe there were some ‘surveillance’ keywords or triggers used as character lines. Maybe there is scene at a transportation hub (train, airport, etc) and characters themselves say things that could be taken as domestic threats – out of context of course. You should have some expectation that your literary work is kept just as safe/secure while in the cloud as it is on your powered down hard drive or stack of papers on your desk. And we haven’t even touched on compliance, records retention, computer forensics, data recovery and many other litigating issues. The cases continue to play out and this blog entry only covers a couple of the challenges associated with Cloud Computing and the Law, but CloudFucius will keep an eye on it for ya. Many of the articles found while researching this topic: The Constitutional issues of cloud computing In digital world, we trade privacy for convenience Cloud Computing and the Constitution INTERNET LAW - Search and Seizure of Home Computers in Virginia Time to play catch-up on Internet laws: The gap between technology and America's laws hit home last week in a court decision on network neutrality FCC considers reclassification of Internet in push to regulate it Personal texting on a work phone? Beware your boss High Court Justices Consider Privacy Issues in Text Messaging Case Yahoo wins email battle with US Government How Twitter’s grant to the Library of Congress could be copyright-okay Judge Orders Google To Deactivate User's Gmail Account FBI Warrant Sought Google Apps Content in Spam Case State court rules company shouldn't have read ex-staffer's private e-mails District Took 56,000 Pictures From Laptops Can the Cloud survive regulation? Group challenging enhanced surveillance law faces uphill climb Watchdogs join 'Net heavyweights in call for privacy law reform Digital Due Process Judge's judgment called into question Dept of Justice Electronic Evidence and Search & Seizure Legal Resources Electronic Evidence Case Digest Electronic Evidence Finally, you might be wondering why CloudFucius went from A to C in his series. Well, this time we decided to jump around but still cover 26 interesting topics. And one from Confucius himself: I am not one who was born in the possession of knowledge; I am one who is fond of antiquity, and earnest in seeking it there. ps The CloudFucius Series: Intro, 1When Applications Drive the Network
#SDDC #SDN #context When applications can dictate service invocation dynamically, then we'll have a truly dynamic network There's a lot of lip service given to the notion of applications defining the way the network behaves. That's primarily because it's recognized that today, at least, it's an application world. Applications are large and in-charge in the eyes of the business who, after all, pays all the bills So it's really not surprising to hear a renewed focus on applications as the driving force behind behavior of networks. The network has for too long been seen as little more than a big fat pipe, a mere transportation system for bits and bytes traversing client to application and back again. But that view undervalues the benefits of the network. The network can, after all, provide a variety of services from the mundane to the spectacular that aid in the delivery of applications. Applications, after all, aren't always aware (for a variety of technical reasons we won't dive into today because, well, you'd need a fresh pot of coffee, trust me) of conditions in the data path - including those on the Internet - that might be adversely affecting performance. Worse, there's not a whole lot an application can do about even if it knows. Many of the performance-enhancing options available to an application are configured on a "server" wide (and I use the term "server" here very loosely to refer to an application or web server instance) basis. Even though it might benefit Alice to turn off compression or turn on caching, it's not feasible to do so because it impacts Bob and Mary, as well. And they might need compression but not caching. Or some other combination thereof. That's where the "network" comes in, or more precisely where the application service network comes in. It does have the visibility into the network, and into the device layer (the client), as well as the application layer to determine what the best combination of services is that will result in the best possible performance for this user on this device at this time given conditions across all networks. Yeah, it's pretty powerful when you think about. But what isn't always easy is managing to actually provide a dynamic means of adjusting those services in real-time. Generally speaking, you configure a set of services based on something akin to an 80/20 rule and shrug. Greater good and all that, benefits of the many outweigh the negatives to a smaller population. But what if it didn't have to be like that? What if you could, actually, automatically make those adjustments based on context and serve 100% of the users with optimal performance? What if the network really were driven by applications and understood that for Bob, on his iPhone at the local Sbux, compression will help so the network invokes that service - even while at the same time Mary is on her PC at headquarters and it won't, so the network doesn't invoke that service. Same application, different context. Same application, entirely different services applied on-demand. Not only is that optimal for the user, but it's also great for the business stakeholder that's paying the bills. Because not only are they now only paying for what they use, they're only paying for what they need, as well. That's where we have to get. To a place where the network isn't just application-centric, or application-aware, but application-driven. Where applications drive service invocation in real-time, automatically and based on the unique context that surrounds each and every request that traverses the network. I'm not talking about pre-defined application-specific policies full of if-then-else statements. I'm talking about an intermediary that's able to grab the context and evaluate it for any application and make intelligent decisions regarding the invocation of services based on whether or not they'll actually provide value in terms of enhanced security, improved performance or higher reliability. That's where the evolution of application delivery is going: to a world where applications are not just sitting in the passenger seat on the network, they're driving.BYOD and the Death of the DMZ
#BYOD #infosec It's context that counts, not corporate connections. BYOD remains a topic of interest as organizations grapple not only technologically with the trend but politically, as well. There are dire warnings that refusing to support BYOD will result in an inability to attract and retain up and coming technologists, that ignoring the problems associated with BYOD will eventually result in some sort of karmic IT event that will be painful for all involved. Surveys continue to tell us organizations cannot ignore BYOD. A recent ITIC survey indicated a high level of BYOD across the global 550 companies polled. 51% of workers utilize smart phones as their BYOD devices; another 44% use notebooks and ultra books, while 31% of respondents indicated they use tablets (most notably the Apple iPad) and 23% use home-based desktop PCs or Macs. It's here, it's now, and it's in the data center. The question is no longer "will you allow it" but "how will you secure/manage/support it"? It's that first piece – secure it – that's causing some chaos and confusion. Just as we discovered with cloud computing early on, responsibility for anything shared is muddled. When asked who should bear responsibility for the security of devices in BYOD situations, respondents offered a nearly equal split between company (37%) and end-user (39%) with 21% stating it fell equally on both. From an IT security perspective, this is not a bad split. Employees should be active participants in organizational security. Knowing is, as GI Joe says, half the battle and if employees bringing their own devices to work are informed and understand the risks, they can actively participate in improving security practices and processes. But relying on end-users for organizational security would be folly, and thus IT must take responsibility for the technological enforcement of security policies developed in conjunction with the business. One of the first and most important things we must do to enable better security in a BYOD (and cloudy) world is to kill the DMZ. [Pause for apoplectic fits] By kill the DMZ I don't mean physically dismantle the underlying network architecture supporting it – I mean logically. The DMZ was developed as a barrier between the scary and dangerous Internet and sensitive corporate data and applications. That barrier now must extend to inside the data center, to the LAN, where the assumption has long been devices and users accessing data center resources are inherently safe. They are not (probably never have been, really). Every connection, every request, every attempt to access an application or data within the data center must be treated as suspect, regardless of where it may have originated and without automatically giving certain devices privileges over others. A laptop on the LAN may or may not be BYOD, it may or may not be secure, it may or may not be infected. A laptop on the LAN is no more innately safe than a tablet than is a smart phone. SMARTER CONTROL This is where the concept of a strategic point of control comes in handy. If every end-user is funneled through the same logical tier in the data center regardless of network origination, policies can be centrally deployed and enforced to ensure appropriate levels of access based on the security profile of the device and user. By sharing access control across all devices, regardless of who purchased and manages them, policies can be tailored to focus on the application and the data, not solely on the point of origination. While policies may trigger specific rules or inspections based on device or originating location, ultimately the question is who can access a given application and data and under what circumstances? It's context that counts, not corporate connections. The questions must be asked, regardless of whether the attempt to access begins within the corporate network boundaries or not. Traffic coming from the local LAN should not be treated any differently than that of traffic entering via the WAN. The notion of "trusted" and "untrusted" network connectivity has simply been obviated by the elimination of wires and the rampant proliferation of malware and other destructive digital infections. In essence, the DMZ is being – and must be - transformed. It's no longer a zone of inherent distrust between the corporate network and the Internet, it's a zone of inherent distrust between corporate resources and everything else. Its design and deployment as a buffer is still relevant, but only in the sense that it stands between critical assets and access by hook, crook, or tablet. The DMZ as we have known it is dead. Trust no one. Referenced blogs and articles: If Security in the Cloud Were Handled Like Car AccidentsMultiscreen Multitasking
Talk about killing two birds with one stone - according to a Pew Internet & American Life Project report, more Americans on their phones while watching TV. About half of U.S. mobile phone owners use their devices while watching TV, a new study suggests. While most (38%) are clicking away as a commercial filler, many are enhancing their viewing experience by interacting along with the program. About 23% of cellphone users exchange text messages with their friends about the same show they are simultaneously watching on TV; around 20% of them visit websites mentioned on TV; 22% used their phone to check whether something they heard on television was true; 11% of cellphone owners use their devices to read what others are writing online about a particular television program; another 11% posts comments on online boards using their cellphones; and 6% used their phone to vote for a reality show contestant. Both men and women equally are glued to their smartphone while watching TV with the 18-24 age bracket leading the way (81%), followed by the 25-34 group (72%). The massive growth of smartphones and how we use them is infiltrating every aspect of our lives. The most basic task of making a phone call seems miniscule compared to the many other things we do with smartphones. Our personal devices are also becoming the primary mobile device we use for work with all the BYOD initiates being implemented. It’s also clear that with all the other tasks and activities we use our smartphones for, providing a solid BYOD policy within an organization is important to keeping corporate resources safe. Not sure how I turned the results of a TV survey into a BYOD challenge but there you have it. And somehow the famous words of Homer Simpson now have much more meaning, ‘Then we figured out we could park them in front of the TV. That's how I was raised, and I turned out TV.’ ps References: More Americans on their phones while watching TV Cellphone usage, television watching go hand in hand The Rise of the “Connected Viewer” More Americans Are Using Mobile Phones While Watching TV Americans juggle phones, TV at same time: survey Man Watches 252 Netflix Movies in a Month, Gets Invited to Netflix HQ Will BYOL Cripple BYOD? What’s in Your Smartphone? Freedom vs. Control BYOD–The Hottest Trend or Just the Hottest Term Here's Help for Mobile Security Cellphone Surveillance ExplodesIn 5 Minutes or Less Video - IP Intelligence Service
I show you how to configure the IP Intelligence Service available on BIG-IP v11.2, in 5 Minutes or Less. By identifying relevant IP addresses and leveraging intelligence from cloud-context security solutions, F5's new IP Intelligence service combines valuable information on the latest threats with the unified policy enforcement capabilities of the BIG-IP application delivery platform. Deployed as part of the BIG-IP system, F5’s IP Intelligence service leverages data from multiple sources to effectively gather real-time IP threat information and block connections with those addresses. The service reveals both inbound and outbound communication with malicious IP addresses to enable granular threat reporting and automated blocking, helping IT teams create more effective security policies to protect their infrastructures. ";" alt="" /> In 5 Minutes or Less - IP Intelligence Service A free 30 day evaluation of the IP intelligence service is available. psBYOD–The Hottest Trend or Just the Hottest Term
It goes by many names: ‘Bring Your Own Danger’, ‘Bring Your Own Disaster’ and what most people call ‘Bring Your Own Device’ and everyone it seems is writing, talking and surveying about BYOD. What used to be inconceivable, using your own personal mobile device/smartphone for work, is now one of the hottest trends or at least, one of the hottest topics being discussed throughout the IT industry. The idea of using a personal smartphone at work sprouted, I think, when many executives got their first iPhone back in 2007 and wanted access to corporate resources. As more smartphones made their way into employee’s hands, the requests for corporate access only grew. Initially resistant to the idea due to security concerns, IT seems to be slowly adopting the concept based on the many blogs, articles and surveys that have littered the internet of late. But, it is a true trend that will transform IT or simply a trending term getting a lot of attention? We’ll be right back after these important messages. Just Kidding. Most likely the former. While many of the cautionary articles talk about potentially grim disasters, they do acknowledge that BYOD is not going away and in fact, is gaining ground. Greater productivity and cost savings seem to be the driving factors. Let’s take a quick look at the smattering of articles surrounding this offshoot of IT consumerization. The Mobile Device Threat: Shocking Mobile Security Stats: A nice slide show featuring highlights from a recent Ponemon Institute and Websense survey. Right out of the gate they talk about how mobile devices are a double-edge sword for enterprises. 77 % of the 4640 responses said that the use of mobile devices in the workplace is important to achieving business objectives but almost the same percentage - 76% - believe that these tools introduce a "serious" set of risks. While organizations understand the risks, the survey showed that only 39% have security controls in place to mitigate them. As a result, 59% of respondents said they’ve seen a jump in malware infections over the past 12 months due, specifically, to insecure mobile devices including laptops, smartphones, and tablets while 51% said their organization has experienced a data breach due to insecure devices. While 45% do have a corporate use policy, less than half of those actually enforce it. In terms of recommendations based on their findings they said, be sure to understand the risk that mobile devices create in the workplace; educate employees about the importance of safeguarding their devices; create a mobile device corporate policy and leverage mobile device management solutions, security access controls, and even cloud services to keep confidential data out of the eyes of unauthorized viewers. 10 myths of BYOD in the enterprise: A nice top 10 from TechRepublic primarily pulling data from a recent Avanadesurvey of more than 600 IT and business leaders. The notion of IT resistance to BYOD is somewhat squashed here with nine out of 10 respondents (according to the results) saying their employees are using their own tech at work. They found that more Androids are encroaching the workplace; that employees are actually using it for work rather than playing games and that nearly 80% of enterprises will make investments this year to manage consumer technologies. There’s 7 more myths along with a couple nice graphics to go along with the list. Interesting and quick read. When Business and Personal Combine: This Wall Street Journal article talks specifically about the conundrum companies and employees face when a remote wipe comes into play. What happens, or really, how to deal with situations when there is a fear of a data breach yet wiping the device also deletes all the employee’s personal data, like family pictures. Policies, use agreements and mobile device management (MDM) solutions are potential solutions. The new BYOD: Businesses are now driving adoption: Rather than the perils of BYOD, this InfoWorld article talks about how enterprises are starting to actively encourage BYOD, not just passively accept it. Reporting on Good Technology’s recent BYOD survey, they found that organizations are jumping on the phenomenon sine they see real ROI from encouraging BYOD. The ability to keep employees connected (to information) day and night can ultimately lead to increased productivity and better customer service. They also found that two of the most highly regulated industries - financial services and health care - are most likely to support BYOD. This shows that the security issues IT folks often raise as objections are manageable and there's major value in supporting BYOD. Another ROI discovered through the survey is that since employees are using their own devices, half of Good’s customers don't pay anything for the employees' BYOD devices – essentially, according to Good, getting employees to pay for the productivity boost at work. BYOD Is The Challenge Of The Decade: Europe is also seeing the BYOD trend. This TechWeek Europe article talks about the familiar threats of malware, spyware, worms and other malicious software but also says that BYOD success depends on both people and technology. That it’s important to involve management early, consider the legal and financial ramifications along with risks to the business to then make an informed decision about a BYOD plan. Not sure if it’s the challenge of the decade but it’s a great headline and will continue to fluster IT in the coming years. IT Security's Scariest Acronym: BYOD, Bring Your Own Device: This PCWorld article uses Nemertes Research data to cover the discrepancies between how companies treat laptops (which can be mobile) and mobile devices themselves. They both have VPN capabilities and device encryption available but stray in different directions after that commonality. The obvious difference is laptops are usually IT owned and smartphones are personally owned. They suggest that it’s a good idea to re-evaluate the difference between security controls on different types of end-user devices and ask, "Is this difference based on valid reasons or a result of legacy thinking?" BYOD Challenge: How IT Can Keep User-Owned iPhones And iPads Secure In Enterprise: This article looks at both the technical and personal challenges to securing employee-owned devices along with suggestions like user education, cost sharing, purchase assistance, tiered access, reward for enrollment and reward for good behavior. I like the last one since much of our challenges and much of what I write about is human behavior, the human condition and why we do the risky things we do. BYOD: Manage the Risks and Opportunities: Bankinfosecurity.com is one of my weekly stops on the internet circuit. While this article is more a primer for an upcoming webinar, it does offer a number a good questions to ask while considering a BYOD strategy. They also say that it's no longer a question of whether to allow employees to use their own devices – the questions are now about inventory, security, privacy, compliance, policy and opportunity. Some BYOD thoughts based on all of the above, in no particular order: Have a BYOD policy or forbid the use all together. Two things can happen if not: personal devices are being blocked and organizations are losing productivity OR the personal devices are accessing the network (with or without an organization's consent) and nothing is being done pertaining to security or compliance. Ensure employees understand what can and cannot be accessed with personal devices along with understanding the risks (both users and IT) associated with such access. What's the written policy and how is it enforced. Acceptable use. Ensure procedures are in place (and understood) in cases of an employee leaving the company; what happens when a device is lost or stolen (ramifications of remote wiping a personal device); what types/strength of passwords are required; record retention and destruction; the allowed types of devices; what types of encryption is used. Organizations need to balance the acceptance of consumer-focused smartphones/tablets with control of those devices to protect their networks. Organizations need to have a complete inventory of employee's personal devices - at least the one’s requesting access. Organizations need the ability to enforce mobile policies. Securing the devices. Organizations need to balance the company's security with the employee's privacy like, off-hours browsing activity on a personal device. Personally, I do find that if I’m playing a game at 9pm and an email comes in, I typically read it. F5 has a number of solutions to help organizations conquer their BYOD fears. From the Edge Client, to our BIG-IP Global Access Solutions (BIG-IP APM and BIG-IP Edge Gateway) to the recent MDM partnership announcements, we can help ensure secure and fast application performance for mobile users. ps Related or, …and the Rest: The Dark Side of BYOD – Remote Wiping and Other Issues How do we manage the BYOD boom, at the technical end? BYOD: Bring your own device could spell end for work PC Bring Your Own Device: Risks and rewards What Risk Does 'BYOD' Pose To Your Business? Survey Says Mobile Device Security Threats Attract Cybercriminals The BYOD Security Dilemma BYOD and the hidden risk of IT security BYOD Policy Template Secure iPhone Access to Corporate Web ApplicationsKids and their Dot Coms
My daughter likes to glue pictures in a composition notebook – Disney Princesses, giraffes, fairies, Barbie scenes, herself and many other things a kindergartener gravitates towards. Usually she asks for certain characters or a particular animal and I go find and print. This weekend, however, as she was asking for some Barbie pictures and a basketball player, she specifically said, ‘you need to go to barbie.com and basketballplayer.com to get the pictures.’ Oh really? She’s known about ‘dot com’ for a while, especially buyslushymagic.com but this was one of the first times she’s requested, rather instructed me to visit specific sites for her crafts. She is good at a keyboard and knows how to search for youtube videos, which is becoming the norm for 5 year olds. I totally understand that each generation, due to whatever technological advancements, grow up in different era's with different ways of doing things and many conversations start with, ‘When I was growing up…’ or ‘When I was a kid…’ We didn’t have TV; we only had black & white TV; we had to get up to change the channel on our TV; we didn’t have cable TV; we had square TVs; we didn’t have HDTV; our TV wasn’t hooked up to the internet; we didn’t have streaming movies to the TV and soon it’ll be, ‘we didn’t have TVs that watched us when I was a kid.’ It’s fun to live during a time of so much technology innovation and growth and to work for a company, F5, that is an integral part of how it all works. And as is usually the case when I’m contemplating some nostalgia related topic, I came across this infographic: Isn’t it fun to look back and remember what we were doing last century? psOde to FirePass
A decade ago, remote VPN access was a relatively new concept for businesses; it was available only to a select few who truly needed it, and it was usually over a dial-up connection. Vendors like Cisco, Check Point, and Microsoft started to develop VPN solutions using IPsec, one of the first transport layer security protocols, and RADIUS Server. At first organizations had to launch the modem and enter the pertinent information, but soon client software was offered as a package. This client software had to be installed, configured, and managed on the user’s computer. As high-speed broadband became a household norm and SSL/TLS matured, the SSL VPN arrived, allowing secure connections via a browser-based environment. Client pre-installation and management hassles were eliminated; rather the masses now had secure access to corporate resources with just a few browser components and an appliance in the data center. These early SSL VPNs, like the first release of F5’s FirePass, offered endpoint checks and multiple modes of access depending on user needs. At the time, most SSL VPNs were limited in areas like overall performance, logins per second, concurrent sessions/users, and in some cases, throughput. Organizations that offered VPN extended it to executives, frequent travelers, and IT staff, and it was designed to provide separated access for corporate employees, partners, and contractors over the web portal. But these organizations were beginning to explore company-wide access since most employees still worked on-site. Today, almost all employees have multiple devices, including smartphones, and most companies offer some sort of corporate VPN access. By 2015, 37.2 percent of the worldwide workforce will be remote and therefore mobile—that’s 1.3 billion people. Content is richer, phones are faster, and bandwidth is available—at least via broadband to the home. Devices need to be authenticated and securely connected to corporate assets, making a high-performance Application Delivery Controller (ADC) with unified secure access a necessity. As FirePass is retired, organizations will have two ADC options with which to replace it: F5 BIG-IP Edge Gateway, a standalone appliance, and BIG-IP Access Policy Manager (APM), a module that can be added to BIG-IP LTM devices. Both products are more than just SSL VPNs—they’re the central policy control points that are critical to managing dynamic data center environments. A Little History F5’s first foray into the SSL VPN realm was with its 2003 purchase of uRoam and its flagship product, FirePass. Although still small, Infonetics Research predicted that the SSL VPN market will swell from around $25 million [in 2002] to $1 billion by 2005/6 and the old meta Group forecasted that SSL-based technology would be the dominant method for remote access, with 80 percent of users utilizing SSL by 2005/6. They were right—SSL VPN did take off. Using technology already present in web browsers, SSL VPNs allowed any user from any browser to type in a URL and gain secure remote access to corporate resources. There was no full client to install—just a few browser control components or add-on to facilitate host checks and often, SSL-tunnel creation. Administrators could inspect the requesting computer to ensure it achieved certain levels of security, such as antivirus software, a firewall, and client certificates. Like today, there were multiple methods to gain encrypted access. There was (and still is) the full layer-3 network access connection; a port forwarding or application tunnel–type connection; or simply portal web access through a reverse proxy. SSL VPNs Mature With more enterprises deploying SSL VPNs, the market grew and FirePass proved to be an outstanding solution. Over the years, FirePass has lead the market with industry firsts like the Visual Policy Editor, VMware View support, group policy support, an SSL client that supported QoS (quality of service) and acceleration, and integrated support with third-party security solutions. Every year from 2007 through 2010, FirePass was an SC Magazine Reader Trust finalist for Best SSL VPN. As predicted, SSL VPN took off in businesses; but few could have imagined how connected the world would really become. There are new types of tablet devices and powerful mobile devices, all growing at accelerated rates. And today, it’s not just corporate laptops that request access, but personal smartphones, tablets, home computers, televisions, and many other new devices that will have an operating system and IP address. As the market has grown, the need for scalability, flexibility, and access speed became more apparent. In response, F5 began including the FirePass SSL VPN functionality in the BIG-IP system of Application Delivery Controllers, specifically, BIG-IP Edge Gateway and BIG-IP Access Policy Manager (APM). Each a unified access solution, BIG-IP Edge Gateway and BIG-IP APM are scalable, secure, and agile controllers that can handle all access needs, whether remote, wireless, mobile, or LAN. The secure access reigns of FirePass have been passed to the BIG-IP system; by the end of 2012, FirePass will no longer be available for sale. For organizations that have a FirePass SSL VPN, F5 will still offer support for it for several years. However those organizations are encouraged to test BIG-IP Edge Gateway or BIG-IP APM. Unified Access Today The accelerated advancement of the mobile and remote workforce is driving the need to support tens of thousands concurrent users. The bursting growth of Internet traffic and the demand for new services and rich media content can place extensive stress on networks, resulting in access latency and packet loss. With this demand, the ability of infrastructure to scale with the influx of traffic is essential. As business policies change over time, flexibility within the infrastructure gives IT the agility needed to keep pace with access demands while the security threats and application requirements are constantly evolving. Organizations need a high-performance ADC to be the strategic point of control between users and applications. This ADC must understand both the applications it delivers and the contextual nature of the users it serves. BIG-IP Access Policy Manager BIG-IP APM is a flexible, high-performance access and security add-on module for either the physical or virtual edition of BIG-IP Local Traffic Manager (LTM). BIG-IP APM can help organizations consolidate remote access infrastructure by providing unified global access to business-critical applications and networks. By converging and consolidating remote access, LAN access, and wireless connections within a single management interface, and providing easy-to-manage access policies, BIG-IP APM can help free up valuable IT resources and scale cost-effectively. BIG-IP APM protects public-facing applications by providing policy-based, context-aware access to users while consolidating access infrastructure. BIG-IP Edge Gateway BIG-IP Edge Gateway is a standalone appliance that provides all the benefits of BIG-IP APM—SSL VPN remote access security—plus application acceleration and WAN optimization services at the edge of the network—all in one efficient, scalable, and cost-effective solution. BIG-IP Edge Gateway is designed to meet current and future IT demands, and can scale up to 60,000 concurrent users on a single box. It can accommodate all converged access needs, and on a single platform, organizations can manage remote access, LAN access, and wireless access by creating unique policies for each. BIG-IP Edge Gateway is the only ADC with remote access, acceleration, and optimization services built in. To address high latency links, technologies like intelligent caching, WAN optimization, compression, data deduplication, and application-specific optimization ensure the user is experiencing the best possible performance, 2 to 10 times faster than legacy SSL VPNs. BIG-IP Edge Gateway gives organizations unprecedented flexibility and agility to consolidate all their secure access methods on a single device. FirePass SSL VPN Migration A typical F5 customer might have deployed FirePass a few years ago to support RDP virtual desktops, endpoint host checks, and employee home computers, and to begin the transition from legacy IPsec VPNs. As a global workforce evolved with their smartphones and tablets, so did IT's desire to consolidate their secure access solutions. Many organizations have upgraded their FirePass controller functionality to a single BIG-IP appliance. Migrating any system can be a challenge, especially when it is a critical piece of the infrastructure that global users rely on. Migrating security devices, particularly remote access solutions, can be even more daunting since policies and settings are often based on an identity and access management framework. Intranet web applications, network access settings, basic device configurations, certificates, logs, statistics, and many other settings often need to be configured on the new controller. FirePass can make migrating to BIG-IP Edge Gateway or BIG-IP APM a smooth, fast process. The FirePass Configuration Export Tool, available as a hotfix (HF-359012-1) for FirePass v6.1 and v7, exports configurations into XML files. Device management, network access, portal access, and user information can also all be exported to an XML file. Special settings like master groups, IP address pools, packet filter rules, VLANS, DNS, hosts, drive mappings, policy checks, and caching and compression are saved so an administrator can properly configure the new security device. It’s critical that important configuration settings are mapped properly to the new controller, and with the FirePass Configuration Export Tool, administrators can deploy the existing FirePass configurations to a new BIG-IP Edge Gateway device or BIG-IP APM module. A migration guide will be available shortly. SSL VPNs like FirePass have helped pave the way for easy, ubiquitous remote access to sensitive corporate resources. As the needs of the corporate enterprise change, so must the surrounding technology tasked with facilitating IT initiates. The massive growth of the mobile workforce and their devices, along with the need to secure and optimize the delivery of rich content, requires a controller that is specifically developed for application delivery. Both BIG-IP Edge Gateway and BIG-IP APM offer all the SSL VPN functionality found in FirePass, but on the BIG-IP platform. ps Resources: 2011 Gartner Magic Quadrant for SSL VPNs F5 Positioned in Leaders Quadrant of SSL VPN Magic Quadrant SOL13366 - End of Sale Notice for FirePass SOL4156 - FirePass software support policy Secure Access with the BIG-IP System | (whitepaper) FirePass to BIG-IP APM Migration Service F5 FirePass to BIG-IP APM Migration Datasheet FirePass Wiki Home Audio Tech Brief - Secure iPhone Access to Corporate Web Applications In 5 Minutes or Less - F5 FirePass v7 Endpoint Security Pete Silva Demonstrates the FirePass SSL-VPN Technorati Tags: F5, infrastructure 2.0, integration, cloud connect, Pete Silva, security, business, education, technology, application delivery, intercloud, cloud, context-aware, infrastructure 2.0, automation, web, internetF5 International Technology Center Video Tour
I visited F5's International Technology Center in the heart of London and want to share an amazing tour with Shareef Qureshi, F5 Product Management Engineer. The facility includes a state of the art lab facility, executive briefing center, workroom facilities and an immersive TelePresence room. See the equipment, how it's managed and cooled, the meeting facilities and more. Only a month old, the F5 ITC showcases some of the latest data center technology. F5’s new London ITC will be the first Application Delivery & Data Solutions competency center in all of EMEA. Special thanks to Ross Draper for following us around. </p> <p><font size="2">ps</font></p> <p><font size="2">Related:</font></p> <ul> <li><a href="http://youtu.be/Jg2g7nCUZdQ" _fcksavedurl="http://youtu.be/Jg2g7nCUZdQ"><font size="2" face="Tahoma">F5 EMEA Video</font></a></li> <li><a href="http://devcentral.f5.com/s/weblogs/psilva/archive/2011/10/19/london-ipexpo-2011.aspx" _fcksavedurl="http://devcentral.f5.com/s/weblogs/psilva/archive/2011/10/19/london-ipexpo-2011.aspx"><font size="2" face="Tahoma">London IPEXPO 2011</font></a></li> <li><a href="http://devcentral.f5.com/s/weblogs/psilva/archive/2011/10/21/london-ipexpo-2011-the-wrap-up.aspx" _fcksavedurl="http://devcentral.f5.com/s/weblogs/psilva/archive/2011/10/21/london-ipexpo-2011-the-wrap-up.aspx"><font size="2" face="Tahoma">London IPEXPO 2011 - The Wrap Up</font></a></li> <li><a href="http://www.youtube.com/user/f5networksinc" _fcksavedurl="http://www.youtube.com/user/f5networksinc"><font size="2" face="Tahoma">F5 Youtube Channel</font></a></li> <li><a href="http://www.f5networks.co.uk/" _fcksavedurl="http://www.f5networks.co.uk/"><font size="2" face="Tahoma">F5 UK Web Site</font></a></li> </ul> <p><font size="2">Technorati Tags: </font><a href="http://technorati.com/tags/F5" _fcksavedurl="http://technorati.com/tags/F5"><font size="2">F5</font></a><font size="2">, </font><a href="http://technorati.com/tags/london" _fcksavedurl="http://technorati.com/tags/london">london</a><font size="2" /><font size="2">, </font><a href="http://technorati.com/tags/integration" _fcksavedurl="http://technorati.com/tags/integration"><font size="2">integration</font></a><font size="2">, </font><a href="http://technorati.com/tags/Pete+Silva" _fcksavedurl="http://technorati.com/tags/Pete+Silva"><font size="2">Pete Silva</font></a><font size="2">, </font><a href="http://technorati.com/tags/security" _fcksavedurl="http://technorati.com/tags/security"><font size="2">security</font></a><font size="2">, </font><a href="http://technorati.com/tag/business" _fcksavedurl="http://technorati.com/tag/business"><font size="2">business</font></a><font size="2">, </font><a href="http://technorati.com/tag/emea" _fcksavedurl="http://technorati.com/tag/emea"><font size="2">emea</font></a><font size="2">, </font><a href="http://technorati.com/tag/technology" _fcksavedurl="http://technorati.com/tag/technology"><font size="2">technology</font></a><font size="2">, </font><a href="http://technorati.com/tags/technology+center" _fcksavedurl="http://technorati.com/tags/technology+center"><font size="2">tech center</font></a><font size="2">, </font><a href="http://technorati.com/tags/big-ip" _fcksavedurl="http://technorati.com/tags/big-ip"><font size="2">big-ip</font></a><font size="2">, </font><a href="http://technorati.com/tags/video" _fcksavedurl="http://technorati.com/tags/video"><font size="2">video</font></a><font size="2">, </font><a href="http://technorati.com/tags/education" _fcksavedurl="http://technorati.com/tags/education"><font size="2">education</font></a></p></body></html> ps Related: F5 EMEA Video London IPEXPO 2011 London IPEXPO 2011 - The Wrap Up F5 Youtube Channel F5 UK Web Site Technorati Tags: F5, london, integration, Pete Silva, security, business, emea, technology, tech center, big-ip, video, education
